Commit graph

661 commits

Author SHA1 Message Date
Green Wan
70415e1e52 board: sifive: add HiFive Unmatched board support
Add defconfig and board support for HiFive Unmatched.

Signed-off-by: Green Wan <green.wan@sifive.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Rick Chen <rick@andestech.com>
2021-05-31 16:35:55 +08:00
Michal Simek
ce869b55f8 spl: Kconfig: Use tabs instead of space for alignment
A lot of entries were using spaces instead of tab for alignment that's why
it is good to fix it to use the same style everywhere.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-26 17:26:07 -04:00
Sean Anderson
4d65c6bcd7 sysinfo: Require that sysinfo_detect be called before other methods
This has the uclass enforce calling detect() before other methods.  This
allows drivers to cache information in detect() and perform (cheaper)
retrieval in the other accessors. This also modifies the only instance
where this sequencing was not followed.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-05-04 07:57:18 -04:00
Alexandru Gagniuc
58b504e5e1 Revert "spl: Drop bd_info in the data section"
This reverts commit 38d6b7ebda.

struct global_data contains a pointer to the bd_info structure. This
pointer was populated spl_set_bd() to a pre-allocated bd_info in the
".data" section. The referenced commit replaced this mechanism to one
that uses malloc(). That new mechanism is only used if SPL_ALLOC_BD=y.
which very few boards do.

The result is that (struct global_data)->bd is NULL in SPL on most
platforms. This breaks falcon mode, since arch_fixup_fdt() tries to
access (struct global_data)->bd and set the "/memory" node in the
devicetree. The result is that the "/memory" node contains garbage
values, causing linux to panic() as it sets up the page table.

Instead of trying to fix the mess, potentially causing other issues,
revert to the code that worked, while this change is reworked.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-04-19 11:34:01 -04:00
Alexandru Gagniuc
51d3a8b54f spl: LOAD_FIT_FULL: Support 'kernel' and 'firmware' properties
The 'firmware' property of a config node takes precedence over the
'kernel' property. 'standalone' is deprecated. However, give users a
couple of releases where 'standalone' still works, but warns loudly.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-04-14 16:02:43 -04:00
Alexandru Gagniuc
60138aa87c spl: LOAD_FIT_FULL: Relocate FDT for u-boot payloads
U-Boot expects the FDT to be located right after the _end
linker symbol (see fdtdec.c: board_fdt_blob_setup())

The "basic" LOAD_FIT path is aware of this limitation, and relocates
the FDT at the expected location. Guessing the expected location
probably only works reliably on 32-bit arm, and it feels like a hack.
One proposal would be to pass the FDT address to u-boot
(e.g. using 'r2' on arm platforms).

The variable is named "fdt_hack" to remind future contributors that,
"hey! we should fix the underlying problem". However, that is beyond
the scope of this patch.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-04-14 16:02:43 -04:00
Alexandru Gagniuc
2eaae17bc9 spl: LOAD_FIT_FULL: Do not hard-code os to IH_OS_U_BOOT
The information on the OS should be contained in the FIT, as the
self-explanatory "os" property of a node under /images. Hard-coding
this to U_BOOT might send us down the wrong path later in the boot
process.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-04-14 16:02:43 -04:00
Alexandru Gagniuc
18fd663c63 spl: LOAD_FIT_FULL: Fix selection of the "fdt" node
The correct FDT to use is described by the "fdt" property of the
configuration node. When the fit_unamep argument to fit_image_load()
is "fdt", we get the "/images/fdt" node. This is incorrect, as it
ignores the "fdt" property of the config node, and in most cases,
the "/images/fdt" node doesn't exist.

Use NULL for the 'fit_unamep' argument. With NULL, fit_image_load()
uses the IH_TYPE_FLATDT value to read the config property "fdt",
which points to the correct FDT node(s).

fit_image_load() should probably be split into a function that reads
an image by name, and one that reads an image by config reference. I
don't make those decisions, I just point out the craziness.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-04-14 15:23:01 -04:00
Alexandru Gagniuc
35f4f8e6fc spl: fit: Support loading FPGA images from list of "loadables"
Commit 4afc4f37c7 ("doc: FIT image: Clarify format and simplify
syntax") and delegated FPGA images to be added via the list of
"loadables" in lieu of the "fpga" property. Now actually implement
this in code.

Note that the "compatible" property is ignored for the time being, as
implementing "compatible" loading is beyond the scope of this change.
However, "u-boot,fpga-legacy" is accepted without warning.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-04-14 15:23:01 -04:00
Alexandru Gagniuc
d8a395109e spl: fit: Warn if FIT contains "fpga" property in config node
Commit 4afc4f37c7 ("doc: FIT image: Clarify format and simplify
syntax") requires that FPGA images be referenced through the
"loadables" in the config node. This means that "fpga" properties in
config nodes are deprecated.

Given that there are likely FIT images which use "fpga", let's not
break those right away. Print a warning message that such use is
deprecated, and give users a couple of releases to update their

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-04-14 15:23:01 -04:00
Alexandru Gagniuc
55e7a1a435 spl: fit: Move FPGA loading code to separate functions
The FPGA loading code in spl_simple_fit_read() can easily be separated
from the rest of the logic. It is split into two functions instead of
one because spl_fit_upload_fpga() is used in a subsequent patch.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-04-14 15:23:01 -04:00
Alexandru Gagniuc
f0a6ec3656 spl: fit: Don't overwrite previous loadable if "load" is missing
spl_load_fit_image() will try to load an image at the address given
in the "load" property. Absent such property, it uses

	image_info->load_addr

Correct use of this is demonstrated in spl_fit_append_fdt(), which
resets the 'load_addr' before each spl_load_fit_image() call.

On the other hand loading "loadables" loop in spl_load_simple_fit()
completely ignores this. It re-uses the same structure, but doesn't
reset load_addr. If loadable [i] does not have a "load" property, its
load address defaults to load_addr, which still contains the address
of loadable [i - 1].

A simple solution is to treat NULL as an invalid load address. The
caller can set load_addr = 0 to request an abort if the "load"
property is absent.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-04-14 15:23:01 -04:00
Tom Rini
a1e95e3805 u-boot-imx-20210409
-------------------
 
 - Secure Boot :
 	- HAB for MX8M / MX7ULP
 	- CAAM fixes
 - Fixes for imxrt1020
 - Fixes for USDHC driver
 - Fixes for Toradex (Colibri / Apalis)
 - Switch to DM for several boards
 	- mx23 olinuxo
 	- usbarmory
 	- marsboard / riotboard
 	- Gateworks GW Ventana
 - NXP upstream patches (LPDDR / CAAM / HAB)
 
 CI: https://source.denx.de/u-boot/custodians/u-boot-imx/-/pipelines/7089
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQS2TmnA27QKhpKSZe309WXkmmjvpgUCYHA8Xg8cc2JhYmljQGRl
 bnguZGUACgkQ9PVl5Jpo76aVbQCfb0Z+N836ZSAodyLa0t6FSHgKqfYAnRdrWQAv
 MNlGOmmpfHENtE75eSnd
 =g48D
 -----END PGP SIGNATURE-----

Merge tag 'u-boot-imx-20210409' of https://gitlab.denx.de/u-boot/custodians/u-boot-imx

u-boot-imx-20210409
-------------------

- Secure Boot :
	- HAB for MX8M / MX7ULP
	- CAAM fixes
- Fixes for imxrt1020
- Fixes for USDHC driver
- Fixes for Toradex (Colibri / Apalis)
- Switch to DM for several boards
	- mx23 olinuxo
	- usbarmory
	- marsboard / riotboard
	- Gateworks GW Ventana
- NXP upstream patches (LPDDR / CAAM / HAB)

CI: https://source.denx.de/u-boot/custodians/u-boot-imx/-/pipelines/7089
2021-04-09 10:08:52 -04:00
Tim Harvey
aa0032f672 spl: fit: nand: allow for non-page-aligned elements
Add a weak nand_get_mtd function for nand drivers to provide mtd info
and use this to set pagesize such that reading of non page-aligned
elements can succeed.

The spl_load_simple_fit already handles block block access so all we
need to do is provide the nand writesize as the block length.

Further cleanup of the drivers which use nand_spl_loaders.c such as
am335x_spl_bch.c, atmel_nand.c, and nand_spl_simple.c could be done
using info from mtd_info instead of statically defined details.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2021-04-08 20:29:53 +02:00
Tim Harvey
39cb85043c spl: fit: nand: skip bad block handling if NAND chip not fully defined
commit 9f6a14c47f ("spl: fit: nand: fix fit loading in case of bad blocks")
added support for adjusting the image offset to account for bad blocks.
However this requires nand_spl_adjust_offset() which requires fully defined
specifics of the NAND chip being used may not be avialable.

Allow skipping this support for drivers or configs which don't specify
the NAND chip details statically with defines.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2021-04-08 20:29:53 +02:00
Bin Meng
ae2d9506a3 riscv: sifive: Rename fu540 board to unleashed
In preparation to add SiFive Unmatched board support, let's rename
the existing fu540 board to unleashed.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
2021-04-08 15:37:29 +08:00
Simon Glass
529d5f96cf cpu: Rename SPL_CPU_SUPPORT to SPL_CPU
The _SUPPORT suffix is from an earlier time and interferes with use of
the CONFIG_IS_ENABLED() macro. Rename the option to drop the suffix.

Tidy up the TODO that prompted this.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-27 15:04:31 +13:00
Simon Glass
05e3a0d648 spl: Split out bootstage ID into a function
We have two separate places that need to figure out the bootstage ID to
use. Put this code in a function so that the logic is in one place.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-27 15:04:31 +13:00
Simon Glass
95a5825f31 dm: core: Add an option to support SPL in read-only memory
Some systems (e.g. x86 APL) run SPL from read-only memory. The device
instances created by dtoc are therefore not writeable. To make things work
we would need to copy the devices to read/write memory.

To avoid this, add an option to use a separate runtime struct for devices,
just as is done for drivers. This can be used to hold information that
changes at runtime, avoiding the need for a copy.

Also add a Kconfig option for read-only SPL, which selects this feature.

Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-26 17:03:09 +13:00
Simon Glass
891d9e84a7 spl: Convert spl_fit to work with sandbox
At present this casts addresses to pointers so cannot work with sandbox.
Update the code to use map_sysmem() instead.

As part of this change, the existing load_ptr is renamed to src_ptr since
it is not a pointer to load_addr. It is confusing to use a similar name
for something that is not actually related. For the alignment code,
ALIGN() is used instead of open-coded alignment. Add a comment to the line
that casts away a const.

Use a (new) load_ptr variable to access memory at address load_addr.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-12 09:57:31 -05:00
Simon Glass
1a9e75bd5d spl: Drop duplicate 'Jumping to U-Boot' message
This is printed twice but we only need one message, since there is very
little processing in between them. Drop the second one, since all branches
of the switch() already have output. Update the U-Boot message to include
the phase being jumped to.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-02 15:53:37 -05:00
Alexandru Gagniuc
71551055cb spl: fit: Load devicetree when a Linux payload is found
When a FIT config specifies a devicetree, we should load it, no
questions asked. In the case of the "simple" FIT loading path, a
difficulty arises in selecting the load address of the FDT.

The default FDT location is right after the "kernel" or "firmware"
image. However, if that is an OP-TEE image, then the FDT may end up in
secure DRAM, and not be accessible to normal world kernels.

Although the best solution is to be more careful about the FDT
address, a viable workaround is to only append the FDT after a u-boot
or Linux image. This is identical to the previous logic, except that
FDT loading is extended to IH_OS_LINUX images.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
aeedeae407 spl: fit: Replace #ifdef blocks with more readable constructs
Use the IS_ENABLED() macro to control code flow, instead of the
caveman approach of sprinkling #ifdefs. Code size is not affected, as
the linker garbage-collects unused functions. However, readability is
improved significantly.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
9e9aa0b473 spl: fit: Only look up FIT configuration node once
The configuration node a sub node under "/configurations", which
describes the components to load from "/images". We only need to
locate this node once.

However, for each component, spl_fit_get_image_name() would parse the
FIT image, looking for the correct node. Such work duplication is not
necessary. Instead, once the node is found, cache it, and re-use it.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
e4928270a4 spl: fit: Remove useless loop in spl_fit_get_image_name()
When a desired configuration is not found, conf_node will have a
negative value. Thus the for loop will start at the root "/" node of
the image, print the "/description" property, and stop.

It appears the intent of the loop was to print the names of the
subnodes under "/configurations". We would need the offset to the
"/configurations" node, which is abstracted by fit_find_config_node().

This change agrees that abstracting the node offset is the correct
design, and we shouldn't be parsing the configurations manually. Thus
the loop in spl_fit_get_image_name() is useless. Remove it.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
3dc2079733 spl: fit: Pass FIT context via a structure pointer
Several loose arguments describe the FIT image. They are thus related,
and it makes sense to pass them together, in a structure. Examples
include the FIT blob pointer, offset to FDT nodes, and the offset to
external data.

Use a spl_fit_info structure to group these parameters.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:42 -05:00
Alexandru Gagniuc
917fa369f6 spl: fit: Factor out FIT parsing and use a context struct
The logical steps in spl_load_simple_fit() are difficult to follow.
I think the long comments, ifdefs, and ungodly number of variables
seriously affect the readability. In particular, it violates section 6
of the coding style, paragraphs (3), and (4).

The purpose of this patch is to improve the situation by
  - Factoring out initialization and parsing to separate functions
  - Reduce the number of variables by using a context structure
This change introduces no functional changes.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 17:12:45 -05:00
Alexandru Gagniuc
efc4ad0bc7 spl: fit: Drop 'length' argument to board_spl_fit_post_load()
The size is derived from the FIT image itself. Any alignment
requirements are machine-specific and known by the board code. Thus
the total length can be derived from the FIT image and knowledge of
the platform. The 'length' argument is redundant. Remove it.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CC: Matt Porter <mporter@konsulko.com>
2021-02-17 17:12:45 -05:00
Simon Glass
401d1c4f5d common: Drop asm/global_data.h from common header
Move this out of the common header and include it only where needed.  In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly.   Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.

Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-02-02 15:33:42 -05:00
Simon Glass
86c372af1a x86: spl: Add a function to find the text base
It is useful to know the TEXT_BASE value for the image being loaded in
TPL/SPL. Add a new spl_get_image_text_base() function to handle this.

Make use of this in the x86 SPL handler, instead of having the logic
there.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2021-02-01 15:11:41 +08:00
Simon Glass
09d9ba9097 spl: Add functions for next and previous phase
It is useful to be able to figure out which phase we are loading next and
which phase we came from. Add some functions to handle this as well as
returning the name of a phase. This allows messages like "Booting to x"
where x is the next phase.

At present, TPL says 'Jumping to U-Boot' at the end, when in fact it is
jumping to SPL. This is confusing, so use the new functions to correct
this.

Tests for this will come with an upcoming minor SPL test refactor.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-01-27 17:03:16 -05:00
Philippe Reynes
4d145f26dd bootcount: allow to use this feature on TPL
This commit add an option TPL_BOOTCOUNT_LIMIT to
use bootcount on TPL.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-01-27 16:58:57 -05:00
Andre Przywara
c0b417b2f1 sunxi: support loading with SPL > 32KB
H616 supports and needs bigger SPL than 32 KiB, mostly due to big DRAM
driver and need for PMIC configuration, which pulls several drivers which
are not needed otherwise.

spl_mmc_get_uboot_raw_sector() will now compare pre-configured size with
that, reported in SPL header. If size in header is bigger, it will use
that value instead.

In the process of function rework, also add missing function argument.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
2021-01-25 21:52:00 +00:00
Jernej Skrabec
44726096cf sunxi: Introduce common symbol for H6 like SoCs
It turns out that there are at least 2 other SoCs which have basically
the same memory map, similar clocks and other features as H6. It's very
likely that we'll see more such SoCs in the future. In order to ease
porting to new SoCs and lower ifdef clutter, introduce common symbol for
them.

Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2021-01-25 21:52:00 +00:00
Philippe Reynes
c61b2bf30c common: spl: spl_fit.c: report an error on hash check fail
When the hash check fails on a loadable image, the SPL/TPL simply
jump to the next one. This commit changes this behaviour, when the
hash check fails on a loadable image, the function spl_load_simple_fit
stops and report an error.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-01-16 14:49:09 -05:00
Ovidiu Panait
2a7c9ab479 spl: Kconfig: Add SPL dependency to CONFIG_HANDOFF
CONFIG_HANDOFF is used in u-boot proper to locate handoff info from SPL
during pre-relocation init (in setup_spl_handoff). Add explicit dependency
on CONFIG_SPL, to fix the following build error when CONFIG_HANDOFF &&
!CONFIG_SPL:

common/board_f.c: In function ‘setup_spl_handoff’:
common/board_f.c:283:4: error: ‘gd_t {aka struct global_data}’
has no member named ‘spl_handoff’
  gd->spl_handoff = bloblist_find(BLOBLISTT_SPL_HANDOFF,
    ^~

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-01-15 14:36:12 -05:00
Simon Glass
38d6b7ebda spl: Drop bd_info in the data section
This uses up space in the SPL binary but it always starts as zero. Also
some boards cannot support data in TPL (e.g. Intel Apollo Lake).

Use malloc() to allocate this structure instead, by moving the init a
little later, after malloc() is inited. Make this function optional since
it pulls in malloc().

This reduces the TPL binary size on coral by about 64 bytes

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-01-05 12:24:40 -07:00
Alexandru Gagniuc
03f1f78a9b spl: fit: Prefer a malloc()'d buffer for loading images
Fit images were loaded to a buffer provided by spl_get_load_buffer().
This may work when the FIT image is small and fits between the start
of DRAM and SYS_TEXT_BASE.

One problem with this approach is that the location of the buffer may
be manipulated by changing the 'size' field of the FIT. A maliciously
crafted FIT image could place the buffer over executable code and be
able to take control of SPL. This is unacceptable for secure boot of
signed FIT images.

Another problem is with larger FIT images, usually containing one or
more linux kernels. In such cases the buffer be be large enough so as
to start before DRAM (Figure I). Trying to load an image in this case
has undefined behavior.
For example, on stm32mp1, the MMC controller hits a RX overrun error,
and aborts loading.
    _________________
   |    FIT Image    |
   |                 |
  /===================\                        /=====================\
  ||      DRAM       ||                        |        DRAM         |
  ||                 ||                        |                     |
  ||_________________||  SYS_TEXT_BASE         | ___________________ |
  |                   |                        ||     FIT Image     ||
  |                   |                        ||                   ||
  | _________________ |  SYS_SPL_MALLOC_START  || _________________ ||
  ||  malloc() data  ||                        |||  malloc() data  |||
  ||_________________||                        |||_________________|||
  |                   |                        ||___________________||
  |                   |                        |                     |

        Figure I                                       Figure II

One possibility that was analyzed was to remove the negative offset,
such that the buffer starts at SYS_TEXT_BASE. This is not a proper
solution because on a number of platforms, the malloc buffer() is
placed at a fixed address, usually after SYS_TEXT_BASE. A large
enough FIT image could cause the malloc()'d data to be overwritten
(Figure II) when loading.

          /======================\
          |        DRAM          |
          |                      |
          |                      |   CONFIG_SYS_TEXT_BASE
          |                      |
          |                      |
          | ____________________ |   CONFIG_SYS_SPL_MALLOC_START
          ||   malloc() data    ||
          ||                    ||
          || __________________ ||
          |||    FIT Image     |||
          |||                  |||
          |||                  |||

                 Figure III

The solution proposed here is to replace the ad-hoc heuristics of
spl_get_load_buffer() with malloc(). This provides two advantages:
    * Bounds checking of the buffer region
    * Guarantees the buffer does not conflict with other memory

The first problem is solved by constraining the buffer such that it
will not overlap currently executing code. This eliminates the chance
of a malicious FIT being able to replace the executing SPL code prior
to signature checking.

The second problem is solved in conjunction with increasing
CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is
carefully crafted on a per-platform basis, the chances of memory
conflicts are virtually eliminated.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2020-12-07 17:40:34 -05:00
Michael Walle
7b866825cd spl: atf: add support for LOAD_IMAGE_V2
Newer platforms use the LOAD_IMAGE_V2 parameter passing method. Add
support for it.

Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04 16:09:06 -05:00
Michael Walle
553825c109 spl: atf: remove helper structure from common header
bl2_to_bl31_params_mem is just an implementation detail of the SPL ATF
support and is not needed anywhere else. Move it from the header to the
actual module.

Signed-off-by: Michael Walle <michael@walle.cc>
Acked-by: Michal Simek <michal.simek@xilinx.com>
2020-12-04 16:09:05 -05:00
Michael Walle
d2cb0c8f75 spl: atf: provide a bl2_plat_get_bl31_params_default()
Move the actual implementation of the bl2_plat_get_bl31_params() to its
own function. The weak function will just call the default
implementation. This has the advantage that board code can still call
the original implementation if it just want to modify minor things.

Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04 16:09:05 -05:00
Michael Walle
37c218a06e spl: atf: move storage for bl31_params into function
There is no need to have the storage available globally. This is also a
preparation for LOAD_IMAGE_V2 support. That will introduce a similar
generator function which also has its own storage.

Signed-off-by: Michael Walle <michael@walle.cc>
Acked-by: Michal Simek <michal.simek@xilinx.com>
2020-12-04 16:09:05 -05:00
Philippe Reynes
7d5b1bf6b8 spl: spl_fit.c: enable check of signature for config node in spl/tpl
This commit add the support of signature check for config node
in spl/tpl when the function spl_load_simple_fit is used.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-01 14:12:28 -05:00
Simon Glass
3a8ee3df83 board: Rename uclass to sysinfo
This uclass is intended to provide a way to obtain information about a
U-Boot board. But the concept of a U-Boot 'board' is the whole system,
not just one circuit board, meaning that 'board' is something of a
misnomer for this uclass.

In addition, the name 'board' is a bit overused in U-Boot and we want to
use the same uclass to provide SMBIOS information.

The obvious name is 'system' but that is so vague as to be meaningless.
Use 'sysinfo' instead, since this uclass is aimed at providing information
on the system.

Rename everything accordingly.

Note: Due to the patch delta caused by the symbol renames, this patch
shows some renamed files as being deleted in one place and created in
another.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-11-06 10:18:20 +08:00
Michal Simek
caa7fc2c57 spl: Use standard FIT entries
SPL is creating fit-images DT node when loadables are recorded in selected
configuration. Entries which are created are using entry-point and
load-addr property names. But there shouldn't be a need to use non standard
properties because entry/load are standard FIT properties. But using
standard FIT properties enables option to use generic FIT functions to
descrease SPL size. Here is result for ZynqMP virt configuration:
xilinx_zynqmp_virt: spl/u-boot-spl:all -82 spl/u-boot-spl:rodata -22 spl/u-boot-spl:text -60

The patch causes change in run time fit image record.
Before:
fit-images {
        uboot {
                os = "u-boot";
                type = "firmware";
                size = <0xfd520>;
                entry-point = <0x8000000>;
                load-addr = <0x8000000>;
        };
};

After:
fit-images {
        uboot {
                os = "u-boot";
                type = "firmware";
                size = <0xfd520>;
                entry = <0x8000000>;
                load = <0x8000000>;
        };
};

Replacing calling fdt_getprop_u32() by fit_image_get_entry/load() also
enables support for reading entry/load properties recorded in 64bit format.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-10-27 08:13:32 +01:00
Tom Rini
18261b8552 Merge branch 'master' of https://gitlab.denx.de/u-boot/custodians/u-boot-sunxi
- sun8i emac changes (Andre)
- SCP firmware (Samuel)
2020-10-22 20:32:02 -04:00
Heinrich Schuchardt
c670aeee3d common: rename getc() to getchar()
The sandbox is built with the SDL2 library with invokes the X11 library
which in turn calls getc(). But getc() in glibc is defined as

    int getc(FILE *)

This does not match our definition.

    int getc(void)

The sandbox crashes when called with parameter -l.

Rename our library symbol getc() to getchar().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-10-22 09:54:53 -04:00
Ovidiu Panait
2dfdd0c4de Kconfig: Use hex values for CONFIG_{SPL,TPL}_SIZE_LIMIT
CONFIG_{SPL,TPL}_SIZE_LIMIT are defined as hex (SPL_SIZE_LIMIT was
converted in b51882d0 ("spl: Convert CONFIG_SPL_SIZE_LIMIT to hex"), but
there are still places that reference integer values. Change those to hex
as well. Also, update the Makefile to check for 0x0 instead of 0.

This also fixes the following build error when CONFIG_SPL_SIZE_LIMIT
is set by menuconfig to 0x0:
...
spl/u-boot-spl.bin exceeds file size limit:
  limit:  0 bytes
  actual: 0x80f0 bytes
  excess: 0x80f0 bytes

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-10-22 09:54:52 -04:00
Samuel Holland
cf70553e2c spl: fit: Minimally parse OS properties with FIT_IMAGE_TINY
Some boards, specifically 64-bit Allwinner boards (sun50i), are
extremely limited on SPL size. One strategy that was used to make space
was to remove the FIT "os" property parsing code, because it uses a
rather large lookup table.

However, this forces the legacy FIT parsing code path, which requires
the "firmware" entry in the FIT to reference the U-Boot binary, even if
U-Boot is not the next binary in the boot sequence (for example, on
sun50i boards, ATF is run first).

This prevents the same FIT image from being used with a SPL with
CONFIG_SPL_FIT_IMAGE_TINY=n and CONFIG_SPL_ATF=y, because the boot
method selection code looks at `spl_image.os`, which is only set from
the "firmware" entry's "os" property.

To be able to use CONFIG_SPL_ATF=y, the "firmware" entry in the FIT
must be ATF, and U-Boot must be a loadable. For this to work, we need to
parse the "os" property just enough to tell U-Boot from other images, so
we can find it in the loadables list to append the FDT, and so we don't
try to append the FDT to ATF (which could clobber adjacent firmware).

So add the minimal code necessary to distinguish U-Boot/non-U-Boot
loadables with CONFIG_SPL_FIT_IMAGE_TINY=y. This adds about 300 bytes,
much less than the 7400 bytes added by CONFIG_SPL_FIT_IMAGE_TINY=n.

Acked-by: Patrick Wildt <patrick@blueri.se>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
2020-10-22 11:43:43 +05:30
Marek Vasut
5675ed7cb6 Revert "Fix data abort caused by mis-aligning FIT data"
This reverts commit eb39d8ba5f.
The commit breaks booting of fitImage by SPL, the system simply hangs.
This is because on arm32, the fitImage and all of its content can be
aligned to 4 bytes and U-Boot expects just that.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Reuben Dowle <reuben.dowle@4rf.com>
Cc: Tom Rini <trini@konsulko.com>
Signed-off-by: Marek Vasut <marex@denx.de>
2020-10-21 19:11:50 -04:00